Closed Bug 724356 Opened 10 years ago Closed 10 years ago

Crash @ gfxMixedFontFamily::ReplaceFontEntry


(Core :: Graphics, defect)

13 Branch
Windows 7
Not set





(Reporter: scoobidiver, Assigned: jfkthame)



(Keywords: crash, regression)

Crash Data


(1 file)

It's a new crash signature that first appeared in 13.0a1/20120204.
The regression range is:
It's likely a regression from bug 721315.

Signature 	gfxMixedFontFamily::ReplaceFontEntry(gfxFontEntry*, gfxFontEntry*) More Reports Search
UUID	1d72c5fe-d632-4b79-b473-ba8082120205
Date Processed	2012-02-05 01:09:40
Uptime	67
Last Crash	1.1 minutes before submission
Install Age	9.7 hours since version was first installed.
Install Time	2012-02-04 15:25:00
Product	Firefox
Version	13.0a1
Build ID	20120204031137
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 23 stepping 10
Crash Address	0x14
App Notes 	
AdapterVendorID: 0x8086, AdapterDeviceID: 0x2e32, AdapterSubsysID: 02f51028, AdapterDriverVersion:
D2D? D2D+
DWrite? DWrite+
D3D10 Layers? D3D10 Layers+
EMCheckCompatibility	True

Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	gfxMixedFontFamily::ReplaceFontEntry 	obj-firefox/dist/include/gfxUserFontSet.h:117
1 	xul.dll 	nsUserFontSet::ReplaceFontEntry 	layout/style/nsFontFaceLoader.cpp:711
2 	xul.dll 	gfxUserFontSet::OnLoadComplete 	gfx/thebes/gfxUserFontSet.cpp:563
3 	mozglue.dll 	je_free 	memory/jemalloc/jemalloc.c:6580
4 	mozglue.dll 	je_free 	memory/jemalloc/jemalloc.c:6580
5 	mozglue.dll 	je_free 	memory/jemalloc/jemalloc.c:6580
6 	xul.dll 	nsTArray_base<nsTArrayDefaultAllocator>::ShiftData 	obj-firefox/dist/include/nsTArray-inl.h:266
7 	mozglue.dll 	je_free 	memory/jemalloc/jemalloc.c:6580
8 	xul.dll 	nsTArray_base<nsTArrayDefaultAllocator>::ShiftData 	obj-firefox/dist/include/nsTArray-inl.h:266
9 	xul.dll 	nsHttpChannel::QueryInterface 	netwerk/protocol/http/nsHttpChannel.cpp:3630
10 	xul.dll 	nsCOMPtr_base::assign_from_qi 	obj-firefox/xpcom/build/nsCOMPtr.cpp:96
11 	xul.dll 	nsFontFaceLoader::OnStreamComplete 	layout/style/nsFontFaceLoader.cpp:245
12 	xul.dll 	nsStreamLoader::OnDataAvailable 	netwerk/base/src/nsStreamLoader.cpp:182
13 	xul.dll 	nsStreamLoader::OnStopRequest 	netwerk/base/src/nsStreamLoader.cpp:127
14 	xul.dll 	nsCORSListenerProxy::OnStopRequest 	content/base/src/nsCrossSiteListenerProxy.cpp:646
15 	xul.dll 	nsHttpChannel::OnStopRequest 	netwerk/protocol/http/nsHttpChannel.cpp:4355
16 	xul.dll 	nsInputStreamPump::OnStateStop 	netwerk/base/src/nsInputStreamPump.cpp:583
17 	xul.dll 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:405
18 	xul.dll 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:114
19 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:657
20 	xul.dll 	nsTArray<nsTimerImpl*,nsTArrayDefaultAllocator>::IndexOf<nsTimerImpl*,nsDefaultComparator<nsTimerImpl*,nsTimerImpl*> > 	obj-firefox/dist/include/nsTArray.h:652
21 	nspr4.dll 	PR_Unlock 	nsprpub/pr/src/threads/combined/prulock.c:347
22 	xul.dll 	TimerThread::RemoveTimer 	xpcom/threads/TimerThread.cpp:435
23 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:110
24 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/
25 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/
26 	xul.dll 	nsBaseAppShell::Run 	widget/xpwidgets/nsBaseAppShell.cpp:189
27 	xul.dll 	nsAppShell::Run 	widget/windows/nsAppShell.cpp:258
28 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:220
29 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3537
30 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:107

More reports at:*%2C%20gfxFontEntry*%29
This crash signature is triggered by bug 721315, I think, but it's really just highlighting a pre-existing problem that could have led to unpredictable behavior due to using a potentially-invalid family record.
Assignee: nobody → jfkthame
Attachment #594530 - Flags: review?(jdaggett)
Jonathan, how do we hit this codepath with mFamily == nsnull?
I suspect we could hit this if the user font set has been deleted (e.g. due to navigating away from the page) immediately before the font loader completes, so the font set deletes the family (which now, since bug 721315, causes it to invalidate the mFamily pointers in its faces).
Attachment #594530 - Flags: review?(jdaggett) → review+
Pushed to inbound:
Target Milestone: --- → mozilla13
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.